More Fun with Syma 107 Reverse Engineering

Syma Reverse Engineering

[Jim] used a logic analyzer to do some in depth analysis of the Syma 107G helicopter’s IR protocol. We’ve seen work to reverse engineer this protocol in the past, but [Jim] has improved upon it.

Instead of reading the IR output of the controller, [Jim] connected a Saleae Logic directly to the controller’s circuitry. This allowed him to get more accurate timing, which helped him find out some new things about the protocol. He used this to create a detailed explanation of the protocol.

One of the major findings is that the controller used a 3 byte control packet, which contradicts past reverse engineering of the device. There’s also a new explanation of how multiple channels work. This allows multiple helicopters to be flown without the controllers interfering.

The write up is quite detailed, and explains the reverse engineering process. It also provides great information for anyone wanting to hack one of these low cost helicopters. From the details [Jim] worked out, it would be fairly easy to implement the protocol on your own hardware.

Turning four smaller helicopters into one larger quadcopter

copter

There’s a reason we’ve seen a menagerie of quadcopters over the past few years – the key piece of any quadcopter build is an inertial measurement unit. Historically a very complicated and expensive piece of kit, these IMUs came down in price a few years back, allowing anyone with a few dollars in their pocket and a handful of brushless motors to build a four-bladed drone in their workshop.

[Starlino] built a few quadcopters, but he wanted to shy away from IMUs and get most of the mass of his new ‘copter over the center of the chassis. He came up with a design he calls the quadhybrid that can be built out of a quartet of those cheap 3-channel helicopter toys.

Most of the lift for [Starlino]‘s quadhybrid comes from a pair of coaxial rotors from a Syma 001 3-channel helicopter toy. Anyone who has played with one of these toy helicopters knows how stable they are; if the tail rotor breaks, you’re left with a helicopter that can only go up and down.

To give his quadhybrid a few degrees of freedom, he attached four tail rotors from 3-channel helis to a few booms laid out in a cross pattern. By taking the receiver out of a 4-channel helicopter and adding his own controller board, [Starlino] made each of the tail rotors control the pitch and roll of the craft.

In the video after the break, you can see the quadhybrid is amazingly stable even without an IMU and surprisingly agile. As [Starlino]‘s ‘copter can be made out of replacement parts for cheap 3-channel helis, we’ll expect a rush on these tail motors at your favorite online RC retailer very shortly.

[Read more...]

Reverse engineering a Syma 107 toy helicopter IR protocol

Half the fun of buying toys for your kids is getting your hands on them when they no longer play with them. [Kerry Wong] seems to be in this boat. He bought a Syma S107G helicopter for his son. The flying toy is IR controlled and he reverse engineered the protocol it uses. This isn’t the first time we’ve seen this type of thing with the toy. In fact, we already know the protocol has been sniffed and there is even a jammer project floating around out there. But we took a good look at this because of what you can learn from [Kerry's] process.

He starts by connecting an IR photo diode to his oscilloscope. This gave him the timing between commands and allowed him to verify that the signals are encoded in a 38 kHz carrier signal. He then switched over to an IR module designed to demodulate this frequency. From there he captures and graphs all of the possible control configuration, establishing a timing and command set for the device. He finishes it off by building a replacement controller based on an Arduino. You can see a video of that hardware after the break.

[Read more...]

IR helicopter controller hacked into a Linux game pad

syma-linux-joystick

[Mike Kohn’s] Syma S107 helicopter wasn’t flying as well as it used to due to a broken gear, he figured he might as well find some use for the toy’s controller, since it was currently sitting around collecting dust. Having done a bunch of work with Syma IR protocols earlier this year, he decided it would be pretty easy to get the remote working as a game pad for his Linux desktop.

He patched an IR receiver into an MSP430 board, which decodes the incoming IR signals, sending them to his computer over a serial connection. [Mike] dug around in the Linux source for some good joystick driver code to borrow and found something that was close enough to work. After a bit of tweaking he loaded up his driver module and fired up Mame to give [Ms. Pacman] a try.

He says that the controller worked without much trouble, though as he discovered in previous projects, there are some quirks in the controller that make it somewhat less than convenient to use full time. Check out his site if you’re interested in taking a look at the code that he used to get things running.

Decoding, then cloning an IR helicopter toy’s control signals

[Mike Field] got his hands on this Syma S107 helicopter with the intention of hacking it. After playing around with it for a while he set out to build his own infrared controller for the toy. It seems there is some protocol information about it published in various forum posts, but he decided it would be more fun to figure it out for himself.

He started off trying to capture the IR signals using Adafruit’s tutorial which has come in handy on a number of other projects. He could get his television remote to register, but not the toy’s controller. This didn’t stop fun, instead he tore open the controller and grabbed a logic sniffer to see what’s being pushed to the IR LEDs. The signals are a bit curious. It seems two different packets are sent with each command which [Mike] thinks is for use with two different models of the toy. In addition to that the frames are not synchronized. But a bit of 10 MHz sampling helped him to figure everything out, and he believes he’s got a more accurate version of the protocol than had previously been discovered. To prove it he developed an FPGA-based controller using VHDL which he shows off in the clip after the break.

[Read more...]

Jam a remote helicopter

The Syma S107 IR is a popular little remote controlled helicopter. When a friend of [Michael]‘s started flying one around the office he decided to try and jam the signal, creating a no fly zone. Luckily some people on the internet have already decoded the IR signals used by the flying menace. From there, a quick browsing of Mouser to source some LEDs, and to whip up some code for a TI MSP430 was all that was left.

The software on the micro controller is set to broadcast a “thrust off” signal, but [Michael] admits he is not 100% sure if the helicopter is actually receiving that, or if the signal from the no fly zone is mixing with the remote’s signal, causing garbage to be received. Either way when the helicopter gets in range of the no fly zone pad it drops from the air.

Things didn’t go perfectly though, overestimating the current capabilities of the MSP was causing the micro controller to reset and crash the debugger. But a simple rearrangement of how the signals are sent quickly solved this problem.

Join us after the break for a quick video.

[Read more...]